Building an Insider Threat Program: Some Low-Cost Tools (Part 2 of 2)
PUBLISHED IN
Insider ThreatThis is the second part of a two-part series about considering low-cost tools for starting your insider threat program. In the first part of this series, I discussed the five categories of tools available to insider threat programs to use, as needed, as part of their operations. In this part, I provide examples of low-cost tools that are available in this space.
The following tools may meet one or more needs of your insider threat program. This is not a complete list of tools. CERT hasn't tested them and, as a Federally Funded Research and Development Center (FFRDC), cannot endorse or recommend them specifically, nor can CERT determine their suitability for use in your environment. I encourage you to test these tools prior to acquisition and implementation.
User Activity Monitoring (UAM)
- Open Source HIDS SECurity (OSSEC) (https://www.ossec.net/)
- Security Onion (https://securityonion.net/)
(Security Onion is a collection of tools for network traffic monitoring and logging.) - Squid Proxy Server (http://www.squid-cache.org) and Dansguardian (https://www.smoothwall.com/)
(Both tools can be combined to filter web content and log website visits. Dansguardian is not actively maintained.) - Packet Capture Tools: Tcpdump (http://www.tcpdump.org/), NetworkMiner (https://www.netresec.com/?page=NetworkMiner), and Wireshark: (https://www.wireshark.org/)
Data Loss Prevention
Security Information and Event Management (SIEM) Systems
Analytics Tools
Digital Forensics Tools
- FTK Imager (https://accessdata.com/product-download?/support/product-downloads)
- Autopsy (http://www.sleuthkit.org/autopsy/)
- Volatility (https://www.volatilityfoundation.org/)
- SANS Investigative Forensic Toolkit (https://digital-forensics.sans.org/community/downloads)
- CERT Forensics Tools: ADIA (https://forensics.cert.org/)
- PALADIN: (https://sumuri.com/software/paladin/)
You can see from this partial list that there are quite a few options available to help you start planning for and implementing the technical aspects of your insider threat program. There are many other tools available that aren't listed, so I encourage you to explore other options. The goal of this blog series was to provide information as a means to get started.
If you have experience with other open source or freely available tools that could be leveraged in an insider threat program, I would like to hear from you. Please get in touch with me using the links provided below.
PUBLISHED IN
Insider ThreatGet updates on our latest work.
Sign up to have the latest post sent to your inbox weekly.
Subscribe Get our RSS feedMore In Insider Threat
Get updates on our latest work.
Each week, our researchers write about the latest in software engineering, cybersecurity and artificial intelligence. Sign up to get the latest post sent to your inbox the day it's published.
Subscribe Get our RSS feed